Threat Detection
Threat detection comprises practices, technologies or services used:
- to detect that suspicious activity may be occurring on systems/networks, and
- to alert security administrators and security staff.
An attack on a system or network can come from either inside or outside of the University. It could intentional (e.g., transmittal of viruses, "worms", or "Trojan horses") or unintentional (e.g., accidental deletion of a control file).
Threat detection may include the real-time monitoring
of activities such as logons, connectivity, operating system calls,
command parameters, or system performance logs. Threat detection safeguards
support the analysis of system performance, behavioral anomalies, use
patterns and trends (such as degradation in system performance over
time), or the existence of known threats (such as known viruses). Automated
tools may, for example, monitor the levels and rate of change in disk
space on an E-mail server, which may indicate a debilitating inflow
of spam or a poorly constructed vacation mail message that has created
a logical loop with the potential to consume all available space on
that server.
Threat detection may also include a review of activities "after the
fact", and over a specific time frame (e.g., reviewing the number and
types of rejected passwords over time may indicate that a "password
cracking" activity is under attempt.)
Alerts from automated threat detection tools may be active (immediate paging of appropriate security personnel) or passive (logging specific types of activities to a daily system security log for later review).
[Adapted from materials provided by the Virginia
Alliance for Secure Computing
and Networking (VA SCAN -- see http://www.vascan.org
)]
University Standards for Threat Detection
- The University establishes and maintains multiple processes to identify and evaluate threats and assign appropriate action based on risks.
- The University's firewall technology must have security logging turned on.